Existing software infrastructures and middleware provide uniform security services across heterogeneous information networks. However, few, if any, tools exist that support access control policy management for and between large enterprise information networks. Insiders often exploit gaps in policies to mount devastating attacks. This paper presents a Policy Machine and Policy Mediation Architec...

We propose a formal account of XACML, an OASIS standard adhering to the Policy Based Access Control model for the specification and enforcement of access control policies. To clarify all ambiguous and intricate aspects of XACML, we provide it with a more manageable alternative syntax and with a solid semantic ground. This lays the basis for developing tools and methodologies which allow softwar...

We propose a formal method to automatically integrate security rules regarding an access control policy (expressed in Or-BAC) in Java programs. Given an untrusted application and a set of Or-BAC security rules, our method derives corresponding AspectJ aspects. Derived aspects modify the behaviour of the underlying program so as to meet the policy. Then, these aspects are weaved into the target ...

Much of the work reported in the first three DSVIS conferences has concentrated on techniques and languages for specifying and developing interactive systems. In this paper, we argue that a change of emphasis may be necessary as the field matures. We argue that real projects with specific objectives for formal methods are more likely to employ a range of diverse, lightweight modelling technique...

For several years, the financial services industry has discovered the opportunities of different channels like the Internet, call-centers, WAP etc. Many banks built up separate direct banks focusing exclusively on the Internet and/or call-centers. Only recently, some banks started to reintegrate the direct banks with their traditional brickand-mortar banks in order to offer services over severa...

one of the main requirements for providing software security is the enforcement of access control policies, which is sometimes referred to as the heart of security. the main purpose of access control policies is to protect resources of the system against unauthorized accesses. any error in the implementation of access control policies may lead to undesirable outcomes. hence, we should ensure th...